Several questions as feedback on gnupg
Werner Koch
wk@gnupg.org
Thu Jan 24 10:42:01 2002
On Wed, 23 Jan 2002 16:45:10 +0100, Loic Bernable said:
> - I've been told the different running keyservers do not support the
> deletion of an uid. Do anyone can confirm this point ? Where can I
> found the latest version of keyserver software used at this time ?
This is for several reasons not possible - the only thhing a keyserver
could do is to delete expired or revoked secondary encryption-only
keys. But this is mainly a performance issue.
> - Are you aware of legal restrictions in some countries concerning the
> setup of a public keyserver ?
Don't know.
> - I've read somewhere that some french people asked Werner to contact
> french administration (SCSSI) to legalize the use of GnuPG in France.
> There should be no theoretical problem, as PGP had been validated
> lastly. Is that true, Werner ? Did you have the time to get
Yes, but I don't speak French too well ;-) It would be better if a
French company does this. What about Mandrake, they are distributing
it.
> - I realized during a demonstration that no authentication is needed
> when modifying the trust values, and in particular assigning a higher
> trust value. Can't it be a problem ? If someone change the trust
Someone else has already answered this.
> - A friend of mine pointed out the problem that may occur with persons
> who have a common name and surname. Let's suppose your name is "John Doe
> jd@yahoo.com". Now, imagine there is another John Doe, that generates
The question of Identity is far more complicated than the technical
issues. I agree that it would be better to probe the email address
but unless there are no good tools for automating this task it is a
lot of work. I usually don't do this but compare the name with a
passport and check that the email address is plausible.
Ian Jackson once posted his scripts to automate the task of a personal
PGP CA; one might want to base a new tool on this. Such a tool should
be able to cope with:
- sign-only keys which are used by a couple of folks as a kind of
high security key.
- keys stored offline which require the transport of the requests
and replies via floppy
> clear enough ? :o) This can still be a problem ... Maybe one day we
> will have a thumbprint analysis tool that would complete our public
Biometric don't help here; they are only usable with strong physical
protected systems. And you certainly don't want to leave a
fingerprint in a public database - there are too many ways to abuse
such a database.
Werner
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus